Professional Documents
Culture Documents
IT Risk Management Toolkit Vol2-Templates DND
IT Risk Management Toolkit Vol2-Templates DND
d be initially directed to the Financial Management and Accounting Policy Branch of NSW Treasury. This publication can be accessed from the NSW Treasury website: www.treasury.nsw.gov.au. NSW Treasury reference: TPP12-03c
Copyright Notice In keeping with the Governments commitment to encourage the availability of information, NSW Treasury is pleased to allow the reproduction of material from this publication for personal, in-house or non-commercial use, on the condition that the source, publisher and authorship are appropriately acknowledged. All other rights are reserved. If you wish to reproduce, alter, store or transmit material appearing in the Risk Management Toolkit for NSW Public Sector Agencies for any other purpose, a request for formal permission should be directed to: Mark Pellowe Senior Director, Financial Management and Accounting Policy Branch, NSW Treasury, Level 24, Governor Macquarie Tower, 1 Farrer Place Sydney NSW 2000.
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
Preface
NSW Treasury has developed this Risk Management Toolkit for NSW Public Sector Agencies (the Toolkit) to provide a comprehensive reference to the current international risk management standard, ISO 31000. The Toolkit contains guidelines, templates and a case study based on a hypothetical agency. It may be particularly useful for those agencies that are just embarking on the risk management journey. The Toolkit consists of two volumes: Volume 1 Guidance for Agencies Volume 2 Templates, examples and case study (this volume).
These two volumes are complemented by an Executive Guide which provides a navigation aid to the detailed guidance in the Toolkit. I encourage departments and statutory bodies to familiarise themselves with the content of this volume and make use of the templates as appropriate.
TPP12-03c 978-0-7313-3569-5
TPP12-03c Risk Management Toolkit for the NSW Public Sector Volume 2
Contents
Introduction PART 1: Templates 1. Consequence table 2. Likelihood table 3. Risk matrix 4. SourcePathwayTarget methodology 5a. Risk assessment (portrait version) 5b. Risk assessment (landscape version) 6a. Risk register (option 1) 6b. Risk register (option 2) 7. Monitoring significant risks 8. Sample risk report 9. Maturity rating for risk management performance 10. Capability matrix 11a. Stakeholder analysis and communication planning 11b. Stakeholder analysis matrix 11c. External and internal stakeholders 11d. Risk management communication needs analysis 11e. Risk management communication strategy Case study Southland Department of Law Enforcement Southland DLE organisational chart Southland DLE risk management implementation plan 201214 Southland DLE risk management policy Southland DLE stakeholder analysis matrix Southland DLE capability matrix Southland DLE consequence table Southland DLE consequence table for threats Southland DLE likelihood table Southland DLE risk matrix Southland DLE risk register Southland DLE risk profiles Southland DLE risk profiles Southland DLE risk profiles PART 2: 1 2 3 4 5 7 9 10 11 12 13 14 15 18 20 21 22 23 24
25 26 27 34 36 37 39 40 42 43 44 50 51 53
TPP12-03c Risk Management Toolkit for the NSW Public Sector Volume 2
Introduction
The Risk Management Toolkit for NSW Public Sector Agencies (the Toolkit) consists of two volumes that are complemented by an Executive Guide which provides a navigation aid to the detailed guidance in the Toolkit. This document is Volume 2 of the Toolkit. Volume 2 provides practical assistance for implementing the concepts discussed in Volume 1 of the Toolkit. The information contained in this volume is presented in two parts. Part 1: Templates and examples Templates and examples are provided as a guide to help you practically apply the concepts explained in Risk Management Toolkit for NSW Public Sector Agencies: Volume 1 Guidance for Agencies. These templates and examples can be tailored to suit your business. Part 2: Case study Southland Department of Law Enforcement In addition to the templates provided in Part 1 of this volume, a case study based on a hypothetical general government agency, the Southland Department of Law Enforcement, has been used as the basis for selected worked examples.
Section Risk management process Consequence table Likelihood table Risk matrix SourcePathwayTarget methodology Risk assessment Risk register Risk profiles Risks affecting strategic objectives Heat maps Monitoring significant risks Sample risk report Risk management framework Risk management policy Risk management implementation plan Maturity rating for risk management performance Capability matrix Stakeholder analysis and communication plan Stakeholder analysis matrix Risk management communication needs analysis Risk management communication strategy X X X X X X 15 18 20 21 23 24 X 36 X 37 X X 34 27 X X 13 14 X X 50 51 53 X X X X X X 3 4 5 7 9,10 11,12 X 44 X X X X 39 42 43 Template or sample Page Southland DLE case study Page
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
Part 1:
Templates
The following templates are provided to get you started in documenting your risk management activities. They are intended to help you develop your own versions. It is not necessary to use all of these templates. When developing your risk management tools, you should tailor the templates you decide to use to the specific needs of your agency. You are not required to use these exact templates; for example, you may already have your own templates that achieve a similar purpose. What is important is to tailor the templates to the needs of your stakeholders. Many of the templates are also available in Excel format for download from the Risk Management Toolkit page of the NSW Treasury website at www.treasury.nsw.gov.au.
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
1.
Consequence table
A consequence table is a matrix in which consequence levels are described for different types of consequences. The three main steps for creating a consequence table are: Step 1: Identify types of consequences that should be included in your table Identify all the types of consequences that will affect your agencys ability to achieve its objectives. Some common consequence types include financial, service delivery, work health and safety, stakeholder satisfaction, reputation and image. Step 2: Determine how many levels of consequences you need in your table Determine the number of levels required to describe the severity that you anticipate for the consequence types identified in step 1, as shown below:
Consequence levels Consequence level Very high High Medium Low Consequence level description
Step 3: Describe each consequence level for each consequence type An example of step 3 is shown in the following table.
Consequence table threats Consequence level Low Financial loss Consequence type Does not exceed 0.1% of budget Medium Greater than or equal to 0.1% but less than or equal to 0.5% of budget A significant disruption to business continuity across a single service groups service requiring resources from other areas of your agency High Greater than or equal to 0.5% but less than or equal to 2% of budget A major disruption to business continuity across multiple services that your agency provides Very high Exceeds 2% of budget
Service delivery
Service failure across a single service groups services that can be managed within the service group
A significant disruption in business continuity across all major services your agency provides
You can use a similar template for both threats and opportunities (refer to Volume 1, Section 4.3.3).
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
2.
Likelihood table
A likelihood table can be used to describe the levels of likelihood for risks. The three main steps for creating a likelihood table are listed below. Step 1: Determine how many levels of likelihood you need in your table Define sufficient levels so that each risk can be assigned an appropriate likelihood rating. Step 2: Decide how to describe the likelihood There are various ways you can describe the likelihood; they include probability and/or indicative frequency. Step 3: Describe the levels of likelihood in a table Each level on the likelihood scale should be described so it is easily understood and unambiguous and can be clearly distinguished from the level above or below it.
Likelihood table Likelihood level Almost certain Frequency The event is expected to occur: in most circumstances frequently during the year More than 99% Probability
Rare
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
3.
Risk matrix
A risk matrix may be used to determine the level of a single risk by combining its consequence and likelihood. Below is an example of a 4 x 4 matrix with three escalation points. This can be adapted to your needs for example, you may choose to use a 5 x 5 matrix with four escalation points. Note that it is not necessary to have the same number of consequence and likelihood levels.
Almost certain
10
11
15
16
Likelihood level
Likely
13
14
Possible
12
Rare
A similar matrix can also be used to plot multiple risks to create a risk profile, such as a heat map. Refer to the worked example in Part 2. Note that the example in the case study uses four levels, instead of the three risk levels suggested here. When you are designing your risk matrix, risks (or opportunities) can be divided into those that require no further action, those that may require action and those that demand action. You can also align these risks with the escalation actions required (see below for an example where three escalation levels have been described).
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
Risk actions and escalation points Group 1216 Group description RedExtreme Action required for risk Action required: risks that cannot be accepted or tolerated and require treatment Risk escalation Escalated to the Head of Authority and executive Control strategy developed and monitored by the Head of Authority or Executive Managed at functional or service group level Escalated to the relevant direct report to the Head of Authority for information No action required Monitoring within the functional area or business unit
511
YellowModerate
Potential action: risks that will be treated as long as the costs do not outweigh the benefits As Low As Reasonably Practicable (ALARP) *
14
GreenLow
No action: acceptable risks requiring no further treatment May only require periodic monitoring
Risk tolerance table Group Action required (1216) Threat Unacceptable risks Threats that your agency cannot tolerate at their current levels because their consequences coupled with their likelihoods are unacceptably high ALARP risks Threats that your agency is prepared to tolerate at their current levels if the costs associated with implementing additional control measures outweigh the associated benefits Acceptable risks Threats that your agency can accept at their current levels after existing controls Opportunity Opportunities whose positive consequences, coupled with their likelihoods, are so large that your agency must pursue them because it cannot afford to forgo the benefits associated with them Opportunities that your agency may wish to pursue, as the benefits outweigh the costs associated with implementing the strategies required to realise the opportunity
Opportunities that your agency will give a low priority to, as the benefits are not sufficient to expend resources on pursuing
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
4.
SourcePathwayTarget methodology
One of many techniques that can be used to identify risks is the SourcePathwayTarget methodology. This methodology can help you determine what sources of risk and types of risks affect particular assets in your agency. The methodology is based on the premise that where there is a source of risk and an asset (target) that may be affected by that source of risk, then the pathway between them is a risk. To protect their assets, organisations need to provide barriers (risk controls) against sources of risk. To identify your risks using this methodology, you need to follow the three-step process set out below. You can use the template on the next page. Step 1: Identify sources of risk in your agency The PESTLE (political, economic, social, technological, legal and environment) approach provides a useful starting point for identifying sources of strategic risk. (You can add to the list as necessary.) The PESTLE model is appropriate for identifying strategic risks. However, it may be less suitable when identifying sources of, for example, operational risks. In this case, it may be more appropriate to use the SABRE (safety, asset, business output, reputation and environment) model. Whichever model you choose, you should ensure that you still examine all sources of risk within the environment being assessed, from the perspective of all internal and external stakeholders. Step 2: Identify your agencys assets An agencys assets include, but are not necessarily limited to, the following: workforce hardware: infrastructure and equipment systems and processes data and information partnerships reputation.
Step 3: Identify each of your agencys objectives. For each objective, identify connections between a source of risk and an asset. Describe each connection as a risk so that: the source, the event and the impact on your agencys objectives are consistently and clearly defined and differentiated those who were not involved in the assessment process can understand the risk.
You may wish to group risks into categories, such as financial, work health and safety, service interruption, community safety, stakeholder satisfaction and environmental impact.
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
Agency objective: .
Source of uncertainty
Pathway (risk)
Target (asset)
Each time you join the dots between a source and a target, you have identified a risk that needs to be described
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
Worst case Make an assessment of the risk based on the scenario where the current controls do not exist or completely fail. Refer to Template 5b for a risk ratings legend. Consequence level Use your consequence table Controls List each current control and its effectiveness (substantially effective, partially effective or largely ineffective). (See Template 5b for the control effectiveness legend.) Control(s) description 1. 2. 3. Current risk Make an assessment of the risk considering the effectiveness of current controls. Consequence level Likelihood level Risk level 1. 2. 3. Control effectiveness rating(s) Likelihood level Use your likelihood table Risk level Use your risk matrix
Treatment List additional controls to be put in place if the risk is not acceptable/tolerable, including resources required for each (financial, physical assets, HR) and a schedule for implementation. Treatment 1. 2. 3. Resources required 1. 2. 3. Person responsible 1. 2. 3. Implementation schedule 1. 2. 3.
Residual risk: Make an assessment of the risk level remaining after risk treatment. Consequence level Monitoring and review Outline the reporting protocols for the risk and when the risk and controls are to be reviewed. Communicate and consult Do you need to communicate the results of this risk assessment to any stakeholders? If so, what channel(s) will you use and what is the schedule? Comments Comment on any uncertainties or sensitivities are the risks that you have identified making the achievement of your agencys objectives too uncertain? Compiled by Branch/Division Date DD/MM/YYYY Reviewed by and date 9 Likelihood level Risk level
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
TPP12-03c Risk Management Toolkit for the NSW Public Sector: Volume 2 10
Division/Branch:..
Risk owner Include the name of the person managing the risk and the area of the agency he or she works in (if the person assigned to treat the risk is different to the risk owner, you may also include their details in brackets within this section). Resources required for proposed treatment For example: financial, physical assets, HR. Stakeholders consulted Include internal and external stakeholders.
Monitoring and review Outline the reporting protocols for the risk and when the risk and controls are to be reviewed. Communicate and consult Do you need to communicate the results of this risk assessment to any stakeholders? If so, what channel(s) will you use and what is the schedule? Comments Comment on any uncertainties or sensitivities are the risks that you have identified making the achievement of your agencys objectives too uncertain?
Level
Worst case
Existing controls address risk, are in operation and are applied consistently. Management is confident that the controls are effective and reliable. Ongoing monitoring is required. Controls are only partially effective, require ongoing monitoring and may need to be redesigned, improved or supplemented.
Current case
N Y
Y N N
Residual risk
Largely ineffective
Management cannot be confident that any degree of risk modification is being achieved. Controls need to be redesigned.
TPP12-03c Risk Management Toolkit for the NSW Public Sector: Volume 2 11
Risk register
Risk ID Risk description Business area/risk owner Date last assessed DD/MM/YYYY Risk category Current case risk level The risk level after current controls Treatments Proposed treatments Control effectiveness e.g Substantially effective Partially effective Largely ineffective Resources required financial, physical, human resources Residual risk level Expected level of risk remaining once additional treatments have been implemented Review and reporting requirements How and when are the risk and controls to be reviewed and reported? Comments Uncertainties or sensitivities are the risks that you have identified making the achievement of your agencys objectives too uncertain?
TPP12-03c Risk Management Toolkit for the NSW Public Sector: Volume 2 12
By
Review and reporting requirements How and when are the risk and controls to be reviewed and reported?
Comments
Financial Service delivery Note that these should be aligned to your consequence table.
Is the risk Level of acceptable/tolerable? risk remaining after the application of existing controls
Uncertainties or sensitivities are the risks that you have identified making the achievement of your agencys objectives too uncertain? Resources required financial, physical, human resources
Expected Is the risk level of risk acceptable/tolerable? remaining after risk treatments
Residual
7.
TPP12-03c Risk Management Toolkit for the NSW Public Sector: Volume 2 13
Significant risks are those that have been given a worst case risk level rated as high or above (i.e. they are in the red zone of your risk matrix). Compiled by: Reviewed by: Division/Branch:..
Significant risks Risk levels Risk ID Risk description Affects objective(s): Worst case List risks that have a worst case level of high or above (i.e. they are in the red zone of your risk matrix). Current case Date last assessed Control or risk treatment Risk owner Monitoring mechanisms Current status Comments
Include the name of the person managing the risk and the area of the organisation he or she works in.
How and when are the risk and controls to be reviewed and reported?
8.
You can design your own reporting templates, similar to this example, for summarising risk register information to present to key stakeholders.
Summary
Key comments: Provide an overall summary of the major risks facing the organisation, including treatments.
No major risks
Risk 1
Risk 2
Risk 3
Risk 4
Risk 5
Risk 6
Risk 7
Objective(s) affected
Risk owner Include the name of the person managing the risk and the area of the organisation he or she works in.
Trend of risk
Risk 2 Risk description Objective(s) affected Current risk rating Determine using your risk matrix. Control effectiveness Refer to Template 5b for the control effectiveness legend Treatment Description schedule Resources required Risk owner Trend of risk
Include the name of the person managing the risk and the area of the organisation he or she works in.
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
14
9.
Continual improvement is a core component of your risk management framework. It means enhancing your risk management framework and moving to a higher level of risk maturity. Your agency should regularly monitor your risk management maturity so the latter can inform your improvement strategies. You can use the attributes of enhanced risk management described in Annex A of ISO 31000 to measure your risk management maturity by defining a set of success indicators for each attribute. You can develop success indicators appropriate to your agency. An example is provided in this template. You may wish to use the results of this matrix to prioritise improvement strategies and to inform your agencys attestation of compliance with Core Requirement 5 of TPP 09-05.
Maturity matrix rating scale Maturity rating Description
There is no or minimal awareness across the agency of the need to manage risk and there are no processes in place. There is organisational awareness of the importance of risk and some areas of the agency have processes in place. There is clear organisational commitment and there are common processes used across the agency. There is clear organisational commitment and there are common processes used across the agency. We routinely monitor our approach to check its effectiveness and make improvements as necessary.
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
15
TPP12-03c Risk Management Toolkit for the NSW Public Sector: Volume 2 16
Function:
Date Date:
Success indicator
Our organisational performance is measured against explicit performance goals. The performance of our staff is measured against explicit performance goals. Our organisational performance is communicated and published. We review our performance annually and follow this with a revision of processes and setting of revised performance objectives for the following period. Risk management performance assessment is included in our performance assessment (agency and individuals). Our risk management framework is formally reviewed periodically.
Documentary evidence
Low
Inconsistent
Consistent
Fully addressed
All staff are fully aware of the risks, risk controls and tasks for which they are accountable. We define accountabilities in position descriptions and in our risk assessments and treatment plans. Risk management roles, responsibilities and accountabilities are defined in our induction program. We provide those with risk accountabilities with appropriate authority, time, training and skills to assume their responsibilities.
TPP12-03c Risk Management Toolkit for the NSW Public Secto:r Volume 2 17
Function:
Date Date:
Success indicator
Our committee minutes record explicit discussions on risks. Our risk management process is used when making key decisions. Soundly based risk management is seen within our agency as providing the basis for effective and prudent governance.
Documentary evidence
Low
Inconsistent
Consistent
Fully addressed
Communication with stakeholders is clearly regarded by staff as an integral and essential component of risk management. Communication with stakeholders takes place as part of all our risk management activities. Communication about risk is a two-way process so that informed decisions can be made about the level of risk and the need for risk treatment against properly established and comprehensive risk criteria. Comprehensive and frequent internal and external reporting on significant risks and on risk management performance contributes substantially to effective organisational governance.
Risk management is embedded in our planning processes, decision-making structures and operational procedures. Our managers regard effective risk management as essential for the achievement of all agency objectives.
In addition to these major roles, the executive, managers and staff will also have roles in implementing your agencys risk management framework. Your capability matrix should capture: the risk roles undertaken, both in implementing the risk management framework and managing risks the capability required to perform these roles how to develop this capability, including induction and ongoing learning and development.
You can use the following matrix to compare the required capability with the current skill levels of staff. This gap analysis can inform your agencys risk management training plan.
Capability matrix Position Head of Authority/risk sponsor Risk roles Required capability Training needs
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
18
The following table lists points that you can consider in your gap analysis depending on your agencys current capability or internal capacity to provide resources for ongoing initiatives.
Example capability matrix Examine Where are we now? Know the current workforce capability Current roles and job categories in relation to required capability Decide Pivotal roles for delivering a successful risk management framework now and in the future (focus your efforts) Deliver Clear picture of the current state of the workforce in relation to risk management knowledge, experience and skills Analysis of how risk capability issues impact on the delivery of business outcomes
Critical workforce data for your agency (including skills audits if Availability of required skills to available) meet risk management challenges Effectiveness of organisational structure External and internal operating environments consider using SWOT analysis Capability-building objectives Skill-building approach (e.g. top down, bottom up, all or some business units)
Planned or possible organisational change or restructure including changes in Goals and critical success factors to aid in evaluation service delivery The organisational- and business Agency performance and unit-specific skill requirements customer feedback emerging from planned or Organisational culture possible change scenarios
A business case which reflects the agencys key priorities and indicates how improving risk management capability will tackle strategic challenges Planning framework for building risk management capability Change management, communication and evaluation strategies Shared understanding of the required risk management capability profile for pivotal roles
Gaps or deviation in current capability Enhance performance Strategy options to build organisational and workforce capability Agencys effectiveness in making flexible use of its workforce and HR strategies Opportunities for cross-agency collaboration Current better practice
Integrated strategies to address each priority issue (adjustment of Implementation plan and review current/new practices) strategy
Comprehensive plans tailored to specific areas of the agency (e.g. divisional, work group)
Resources required to implement Integration and alignment of risk the strategy management capability and attract and retain strategies Strategy review and evaluation mechanisms Ongoing dialogue with line managers on emerging risk issues
Where there is an obvious need to develop a program that builds the capability of the agency to manage risk, the following questions are pertinent: What factors might you examine to make positive capability development decisions? How do you identify the most useful information? How do you prioritise areas for action? How do you best establish a workforce that is capable for managing risks into the future?
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
19
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
20
These stakeholders have a high degree of influence but will not feel a direct impact from the decisions your agency makes.
INFORMATION GIVING
These stakeholders have a high degree of influence and will feel the impact of decisions your agency makes.
DIALOGUE
Influence of stakeholder
These people are important in delivering your messages so make sure they have the right information.
These people are important in supporting agency decisions so you need to ensure they have a detailed understanding of your risks and how you are managing them. These stakeholders will feel the impact of decisions your agency makes but do not have much influence or voice.
CONSULTATION
These stakeholders have little influence and will not feel a direct impact from the decisions your agency makes.
INFORMATION GATHERING
These people are an important source of information about general trends and views that your agency needs to consider as part of its decision-making processes.
These people are likely to be those that deliver or directly access your services so you need to understand their needs and perceptions of risk.
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
21
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
22
11d.
TPP12-03c Risk Management Toolkit for the NSW Public Sector: Volume 2 23
This tool enables you to note any special needs relating to communication activities with your stakeholders that you have identified using your stakeholder analysis tool.
Function: Compiled by: Date:
Reviewed by:
Date:
TPP12-03C Risk Management Toolkit for the NSW Public Sector: Volume 2 24
11e.
Reviewed by:
Date:
How will you communicate with each group? Consider: face to face, such as workshops, seminars, meetings or community forums written forms, such as brochures, media releases, interpretive materials or Have stakeholders direct mail been given adequate electronic forms, via e-mail, time to respond to websites, blogs, social communications if media, TV, radio, etc. required? networks, such as peergroup networks, pressuregroup networks and educational forums.
Part 2:
Case study
The government has allocated $40 million over four years for the establishment and full operation of a new E-Security Response Centre by December 2016. Southland DLE aims to achieve the following goals: safe roads reduced rates of crime, particularly violent crime people feeling safe.
The department delivers the following key programs that contribute to the above goals: road safety crime prevention and community safety crime response and community support investigation and judicial support.
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
25
DirectorGeneral
26
TPP12-03c Risk Management Toolkit for the NSW Public Sector: Volume 2 27
TPP12-03c Risk Management Toolkit for the NSW Public Sector: Volume 2 28
Strategy We need to ensure that our process for managing risk is clearly defined, repeatable and based on appropriate information.
Initiatives a) Identify our risk tolerances b) Develop our risk process, including the rules for risk escalation and risk reporting c) Develop our risk information strategy d) Identify, assess and control our strategic risks e) Cascade our risk management process into all levels of planning f) Develop a process for identifying and managing project risks g) Develop a process for identifying and managing ad hoc risks h) Develop our risk management reporting strategy a) Identify what constitutes an appropriate level of risk management maturity for Southland DLE b) Develop our risk management assurance program to monitor the effectiveness of our risk management framework and risk management maturity
We need to understand what level of risk management maturity is current in Southland DLE and what level is required, and develop a strategy to close the gap.
TPP12-03c Risk Management Toolkit for the NSW Public Sector: Volume 2 29
3. Risk management action plan Note: Activities and tasks completed as part of the 201112 plan are included to provide a comprehensive view of the development and implementation of the risk management framework.
Initiatives 1a 1b Identify risk management objectives Risk management roles Tasks Set the scope and purpose for risk management Identify those with accountability and responsibility for roles associated with developing and implementing the risk management framework Identify those with accountability and responsibility for roles associated with identifying and managing risk Revise position descriptions to reflect risk management roles Revise delegation manual to reflect risk management roles Review committee charters to ensure risk management responsibilities are clearly articulated Ensure roles are articulated in the risk management policy Review governance framework and structure to incorporate risk management Review Audit and Risk Committee (ARC) charter for compliance with TPP 09-05 Clarify audit and risk management roles and responsibilities Establish risk-based audit methodology Embed risk management into the planning framework and all planning activities, including project planning Identify Departmental objectives where risk needs to be managed Identify legislative and compliance requirements Undertake environmental scans (external and internal) to identify potential sources of risk Undertake stakeholder analysis Understand potential impacts of these sources of risk to identify the types of risk that we need to manage To be completed by Completed Completed Responsibility
1c 1d Integrate governance and risk management Integrate audit and risk management 1e 2a Integrate planning and risk management Context
Completed June 2012 June 2012 Completed Completed December 2012 Completed June 2012 December 2012 December 2013 Completed Completed Completed Completed Completed Chief Audit Executive (CAE) CAE Strategic Planning and CRO Governance and Chief Risk Officer (CRO) Human Resources Governance
TPP12-03c Risk Management Toolkit for the NSW Public Sector: Volume 2 30
Initiatives 2b Risk Leadership Team (Executive risk champion and other risk champions)
Tasks Communicate Director Generals commitment to risk management Identify membership of risk leadership team Ensure risk leaders are familiar with TPP 09-05 and AS/NZS ISO 31000 and encourage them to read the Treasury Risk Management Toolkit for NSW public sector agencies Hold a risk management framework information session with the risk leadership team Undertake a risk climate survey to establish the current (baseline) risk culture Perform a gap analysis between baseline and the culture that we are aiming for Identify strategies to close the gap Develop our risk management capability matrix Identify learning needs Review training program and revise to meet risk management training needs Develop risk management policy Review other risk-related policies for consistency Review by Executive and ARC Director Generals endorsement for the policy Publish and communicate policy Review risk management policy and practice Identify communication needs using results of the stakeholder analysis (see 2a) Develop communication strategy for implementing the risk management framework Develop our risk tolerances for each type of risk (see 2a) to reflect our overall attitude to risk Develop a risk escalation process based on our risk tolerances Identify how tolerances and risk escalation will be reflected in our consequence tables and risk matrix (see 3b)
2c Risk culture 2d Risk management capability 2e Risk management policy 2f Risk management communication strategy 3a Risk attitude and risk tolerances
Completed Completed Completed June 2012 Completed Completed December 2012 Completed Completed Completed Completed Completed Annually October 2012 November 2012 Completed Completed Completed CRO and ARC CRO and Communications Manager CRO and Communications Manager CRO CRO
TPP12-03c Risk Management Toolkit for the NSW Public Sector: Volume 2 31
Tasks Identify how many risk assessment processes we need to cover all areas of our business (strategic, operational, project, etc.) Research available risk assessment tools to identify appropriate methodologies for risk identification, analysis, treatment, etc. Develop our consequence table(s), likelihood table(s) and risk matrices for the assessment of threats Develop risk assessment facilitation and support strategy Develop risk assessment and treatment guidelines, including templates Monitor use of risk process for consistency Develop review/revision plan for risk process Revise risk policy and process, including expanding our risk tables and matrix to consider positive risk (opportunities) Identify stakeholder information needs Develop our risk register (Microsoft Excel-based initially) Develop our risk profiles (Microsoft Word/Excel-based initially) Investigate future options for risk information management system Develop a medium- to long-term risk information plan Undertake a risk assessment of our corporate objectives as an integral part of the strategic planning cycles to identify strategic risks and their treatment Use the assessment to inform our internal audit plan Report on risks in our strategic risk register and risk profile Develop and implement a monitor/review process for our strategic risks
To be completed by Completed Completed Completed Completed Completed Ongoing August 2013 June 2013, then annual July 2013 Feb2013 Feb 2013 July 2013 September 2013 March 2013 and ongoing March 2013 and ongoing March 2013 and ongoing March 2013 and ongoing
Responsibility
ARC, Internal Audit and CRO CRO CRO CRO CRO CRO CRO CRO Executive team facilitated by Strategic Planning and CRO Internal Audit and CAE CRO CRO
3c
3d
TPP12-03c Risk Management Toolkit for the NSW Public Sector: Volume 2 32
Tasks Undertake risk assessments of our operational objectives as an integral part of business planning cycles to identify operational risks and their treatment Escalate operational risks as per strategy defined in risk matrix Use the assessments to inform our internal audit plan Report on risks in our operational risk register(s) and risk profile (where relevant) Develop and implement a monitor/review process for our operational risks Undertake risk assessments of our project objectives as an integral part of project planning to identify project risks and their treatment Escalate project risks as per strategy defined in risk matrix Use the assessments to inform our internal audit plan as appropriate Report on risks in our project risk register(s) and risk profile (where relevant) Develop and implement a monitor/review process as part of our project governance framework Develop a process for dealing with ad hoc risks (risks that are identified outside of planning and project work), including: - analysis - treatment - escalation - communication, reporting and inclusion in risk registers - monitoring and review
To be completed by April 2013 and ongoing April 2013 and ongoing April 2013 and ongoing April 2013 and ongoing April 2013 and ongoing April 2013 and ongoing April 2013 and ongoing April 2013 and ongoing April 2013 and ongoing April 2013 and ongoing April 2013 and ongoing
Responsibility Service Group managers facilitated by Strategic Planning and CRO Service Group managers Internal Audit and CAE Service Group managers and CRO CRO Project teams facilitated by CRO Project managers Internal Audit and CAE Project managers and CRO CRO CRO
TPP12-03c Risk Management Toolkit for the NSW Public Sector: Volume 2 33
Tasks Understand external reporting requirements Understand ARC and Executive reporting requirements Develop risk management report template Develop and implement risk management reporting plan Review/revise risk management reporting strategy as part of the review of our risk management framework Establish a methodology for determining our organisational risk maturity Undertake the maturity analysis to identify our current (baseline) maturity Review our maturity at 12 months from first assessment Use the results of the review to inform our risk management improvement strategy Review our risk management maturity methodology Develop and include risk management framework KPIs in our performance management framework Develop review/revision plan for our risk management framework Review our risk management framework
To be completed by Completed Completed Completed Completed June 2014 Completed June 2012 June 2013 July 2013 March 2014 November 2012 Completed June 2014
Responsibility
CRO/ARC
4a
4b
CRO
All staff are responsible for identifying and managing risk within their work areas. In undertaking their responsibilities, we expect our staff to be familiar with, and understand, the Departments Risk Management Framework including the Departments risk reporting protocols. We expect our staff to be able to differentiate between those risks that are within their responsibility and authority to manage and those that they should escalate through their management structure for further consideration and management. The Departments Chief Risk Officer is available to support staff in undertaking their risk management activities.
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
34
All committees need to consider relevant risks and their management as a regular item of all meetings. Our Audit and Risk Committee is responsible for reviewing our: risk management process and procedures risk management strategies for major projects or undertakings control environment and insurance arrangements business continuity planning arrangements fraud control plan.
The Department will publish a summary of its risk management performance in its Annual Report. Our challenge for the future is to create a culture where we integrate risk management into our everyday service delivery operations and those of our contractors and partners. Everyones involvement and support is critical to achieving our goals and departmental objectives. We have developed a common risk vocabulary to use when we talk about risk and risk management. This is available on our intranet site along with risk management tools, processes and procedures. The Department is committed to continually improving its ability to manage risk. We will review this policy and our Risk Management Framework at least annually to ensure that it continues to meet our requirements. For further information on Southland DLEs Risk Management Policy, Framework and Process, contact the Departments Chief Risk Officer, <officer name> on email address <email contact> or by phone <contact number>.
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
35
2
Unions
4
Ministers (AG and Law Enforcement) Director-General Executive Team
INFORMATION GIVING
Action/pressure groups ARC Compliance/ monitoring agencies
DIALOGUE
Funding/policy agencies Service delivery partners Commonweath and other State Governments Managers
Influence of stakeholder
Communications
Forensic services
INFORMATION GATHERING
Insurance providers Families of operational staff Shared services provider Event organisers
CONSULTATION
Local government Volunteers NGOs Program sponsors Support staff Call centre staff Incapacitated staff
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
36
External training in risk management and risk analysis External training in security and business continuity principles Mentoring by CRO External training in risk management Mentoring by CRO
Risk champions
As above
CRO
Detailed expertise in risk management and risk assessment Good understanding of the agencys external, internal and risk management context Strong facilitation skills Strong technical and report writing skills
External training in risk management and risk analysis External training in security, business continuity, incident management, etc. Access to risk management publications and standards Membership of professional risk management body Facilitation training Access to external mentoring
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
37
Risk roles Undertake business unit planning and risk analyses Understand and abide by the agencys risk policy Understand and use operational risk information Report on hazards Undertake operational incident debriefs Understand and abide by organisational policies and procedures Understand and use operational risk information Report on hazards Participate in operational debriefs
Required capability As above plus: Understanding of links between risk management and planning Good understanding of the agencys operational and risk management context
Operational staff
Understanding of agencys approach to risk management Ability to use hazard reporting system
Induction to include risk management policy and hazard reporting process Internal operational risk assessment training
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
38
Step 2: Determine how many levels of consequences you need in your table Southland DLE has decided to use four consequence levels in our consequence table. We have defined these levels in terms of the level of management resources that would be involved.
Consequence levels Consequence level VERY HIGH HIGH Consequence level description
Affects the ability of DLE to achieve its objectives and may require third-party intervention Affects the ability of DLE to achieve its objectives and requires significant coordinated management effort at the Executive level Affects the ability of a single business unit in DLE to achieve its objectives but requires management effort from areas outside the business unit Affects the ability of a single business unit in DLE to achieve its objectives and can be managed within normal management practices
MEDIUM
LOW
Step 3: Describe each consequence level for each consequence type Southland DLE has aligned our consequence descriptions for each consequence type to the consequence level based on management resources to ensure that they are consistent and unambiguous.
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
39
The financial impact FINANCIAL (FIN) Does not exceed 0.1% of Southland DLE budget More than or equal to 0.1% of Southland DLE budget but less than or equal to 0.5% of that budget More than or equal to 0.5% of Southland DLE budget but less than or equal to 2% of that budget Exceeds 2% of Southland DLE budget
An unsafe work environment or act causes 1 staff member or contractor losttime injury WORK HEALTH AND SAFETY (OH&S) 15 staff members or contractor lost-time injuries 1 or more staff member or contractor permanent disability injury and/or 525 staff or contractor losttime injuries Fatality and/or More than or equal to 5 staff member or contractor permanent disability injuries and/or More than or equal to 25 staff member or contractor lost-time injuries
CONSEQUENCE TYPE
Loss of access to critical systems or facility causes Service failure across a single service groups services that can be managed within the service group A significant disruption to business continuity across a single service groups service requiring resources from other areas of Southland DLE A major disruption to business continuity across multiple Southland DLE services A significant disruption in business continuity across all major Southland DLE services
Breach of legislation, law and/or government policy requirements causes failure to Fully comply with requirements, which can be corrected without consequence Fully comply with requirements, resulting in legal action of internal investigation Comply with requirements, resulting in civil damages, criminal penalties or government investigation Meet requirements, resulting in significant civil damages, serious/extreme criminal penalties or government remedial action
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
40
Inability to meet service delivery performance requirements causes Changes to service delivery strategies managed within the service group Significant changes to a single groups service delivery, requiring some realignment of resources within Southland DLE Significant realignment of service delivery strategies across several service groups Imposition of significant service delivery reforms by government
CONSEQUENCE TYPE
Management of issue(s) causes Temporary loss of confidence in Southland DLE in some sections of the community and/or Ongoing individual concerns Major impact on public confidence in Southland DLE (days) and/or Concern expressed by Minister in Southland DLE activities Considerable and widespread impact on public confidence in Southland DLE (days/weeks) and/or Issues raised in Parliament Significant impact on public confidence in Southland DLE (months) and/or Potential parliamentary enquiry
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
41
Step 2: Decide how to describe the likelihood Southland DLE has decided to define likelihood: in general terms, using words such as expected, could occur and may occur, and with indicative frequencies based on the chance of occurrence in the coming year.
The event will occur on an annual basis within the short-term (e.g. budget) planning cycle Is likely to happen to Southland DLE within the longterm (10-year) planning cycle Has happened in the Australian law enforcement sector Could happen in the global law enforcement sector
Likely
Possible
Rare
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
42
Southland DLE has linked its risk communication and risk ownership strategies to its risk escalation points as shown in the table below.
EXTREME Immediate escalation to the Executive Control strategy developed and monitored by the Executive Escalation to the Executive at next meeting Ownership of risk assigned to a member of the Executive Managed at functional/service group level Escalated to relevant Assistant DGs for information Managed within functional area/service group
MAJOR
MODERATE
MINIMAL
TPP12-03c Risk Management Toolkit for NSW Public Sector Agencies: Volume 2
43
TPP12-03c Risk Management Toolkit for the NSW Public Sector: Volume 2 44
Risk description
Ratings L RISK
Controls/risk treatment
Accept Description (Owner) ?
Review and reporting requirements Effect Review the effectiveness of the controls through annual frontline officer and specialist roles skills audit
Comm.
Worst case
Forward workforce planning Targeted recruitment strategies Yes Training matrix for workforce Review and revision of training needs (SUP HRM)
Current
Med
Likely Mod
Yes
Residual
A3
Exec Team
3/12
Worst case
V High AC
Ex
No
Firewall and virus software User access controls User ID and password policy Routine penetration testing (MAN Exec Res and Inf)
No
Quarterly reporting to the Executive of progress against project milestones and budget Reporting of firewall breaches to ADG CS
V High Pos
Major No
Residual
V High Rare
Mod
TPP12-03c Risk Management Toolkit for the NSW Public Sector: Volume 2 45
ID
Risk description
Ratings L RISK
Controls/risk treatment
Accept Description (Owner) ?
Review and reporting requirements Effect Quarterly report to the Executive on reported incidents of suspected fraud or corruption, and/or access to whistleblower program
A4
Exec Team
Findings of REPUTATION AND widespread corruption IMAGE in other jurisdictions creates a negative association for Southland DLE as a law enforcement agency, resulting in loss of reputation, heightened scrutiny and lower internal morale Questions about the REPUTATION AND performance and IMAGE effectiveness of Southland DLEs FINANCIAL activities raised by the Parliamentary Accounts Committee causes a perception that the Department does not present good value to the community, resulting in an adverse impact to our budget position
Worst case
Med
Likely Mod
No
Recruit psychological testing program, induction program, governance (incl. Yes whistleblower) programs (MAN Educ Serv)
Comm.
Current
Low
Likely Min
Yes
Residual
A5
Exec Team
3/12
Worst case
High
Likely Major No
ADG CS
Performance management systems in place to monitor outputs against objectives on a quarterly basis. Performance measures are reviewed and updated annually Executive monitoring of budget against performance criteria Yes (crime statistics, road safety, community measure, etc.) Twice-yearly assessment to identify opportunities for improvement and/or reallocation of resources (DIR Strat. Plan.)
Reporting as directed through the strategic plan, reporting as directed through community performance metrics
Current Residual
Med
Pos
Mod
Yes
TPP12-03c Risk Management Toolkit for the NSW Public Sector: Volume 2 46
ID
Risk description
Ratings L RISK
Controls/risk treatment
Accept Description (Owner) ?
Review and reporting requirements Effect Report quarterly to the Executive on workforceplanning strategy progress Report quarterly to the Executive on workforce retention statistics
A6
Exec Team
Increasing age of SERVICE frontline officers and an PERFORMANCE imbalance between retirements compared to recruitments causes a skill shortage across frontline policing roles, resulting in the inability to provide frontline policing
Worst case
ADG CS
Development of workforceplanning strategy to bring forward recruitment numbers and reskill non-frontline officers Yes to frontline positions Targeted recruitment strategies to include socially diverse groups (SUP HRM) Consider and develop incentive Yes schemes (SUP HRM)
Current
Major Mod
No Yes
Residual
A7
Exec Team
3/12
Poor communication REPUTATION AND has led to a mismatch IMAGE between the communitys perception of public safety and real crime rates, resulting in a drop in Southland DLEs reputation as an effective policing authority Poorly delivered road SERVICE safety awareness PERFORMANCE campaign causes the road safety education program to fail, resulting in Southland DLE missing road safety improvement targets
Worst case
Med
Pos
Mod
No
Community education and communication strategy about No serious crime rates and impact (DIR PA) Improve communication of strategy to stakeholders Monitor community response and modify strategy accordingly
ADG FO
Current
Med
Pos
Mod
No
Yes
Residual
Med
Rare
Min
Yes Service provider agreement with performance metrics in place Independent program evaluation to assess effectiveness (DIR PA)
Review community education strategy annually Report to the Executive on communication strategy performance every six months Report to the Executive on community safety measures following each survey Review service provider agreement performance criteria annually Report to the Executive quarterly on road safety performance statistics
3/12
Worst case
High
Pos
Mod
No
Yes
ADG RS
Current Residual
High
Rare
Mod
Yes
TPP12-03c Risk Management Toolkit for the NSW Public Sector: Volume 2 47
ID
Risk description
Ratings L RISK
Controls/risk treatment
Accept Description (Owner) ?
Review and reporting requirements Effect Monthly emerging threat assessment report to the Executive Report on progress in establishing specialty units, and national/international alliances
Southland DLEs inability to fill specialist analyst roles causes a new or emerging threat, e.g. cybercrime, to be overlooked, resulting in greater community concern about potential incidents
Worst case
V High AC
Ex
No
Staff access to national training programs, formal and/or Yes informal sharing of information across jurisdictions (ADG SO) Establishment of specialty units with skill and experience in emerging threats such as cybercrime Yes Develop alliances with national and international assessment and investigation bodies (ADG SO)
Current
V High Pos
Major No
Residual
Mod
Yes Southland DLE Business Continuation Plan (CRO) Reduce the level of risk through an investment in upgrading the IT system for communications (ADG CS) No Report on annual BCP testing Quarterly reporting to the Executive on progress against project milestones and budget Reporting of communication systems failures to ADG Corporate Services
3/12
Ageing IT infrastructure causes Southland DLE's communication systems to fail and they are nonoperational for a number of hours, resulting in the inability to deliver effective policing services to the community
Worst case
Major No
ADG FO
Current
High
AC
Major No
Yes
Residual
High
Rare
Mod
Yes
TPP12-03c Risk Management Toolkit for the NSW Public Sector: Volume 2 48
ID
Risk description
Ratings L RISK
Controls/risk treatment
Accept Description (Owner) ?
Review and reporting requirements Effect Report from project steering group to the Executive on status of project quarterly Report to the Executive on alternative strategies
The inability to gain government support for the policy allowing volunteers to police school crossings causes greater strain on frontline policing resources, resulting in a reduction in policing services to the community Changes in population demographics across Southland, which are not considered in DLEs policing strategy, result in Southland DLE frontline policing becoming ineffective for local communities
Worst case
Med
AC
Mod
No
Undertake stakeholder focus group meetings throughout affected community (DIR CE)
No
ADG FO
Current
Med
Pos
Mod
No
Investigate alternative policies that allow a transfer of school crossing duties to nonYes uniformed officers or other strategies that do not require changes to legislation
Residual
Med
Pos
Mod
Yes Workforce-planning strategy assesses socio-demographic changes in the community (SUP HR) Report quarterly to the Executive on workforce planning strategy progress Report quarterly to the Executive on workforce retention statistics Annual report to the Executive on Southlands demographic mix and changes by specialist
3/12
Worst case
High
Likely Major No
Yes
Current
High
Pos
Mod
No
Implement mobile policing into regional areas Undertake recruitment programs within socially Yes diverse groups Offer incentives for officers to relocate to regional areas (SUP HR)
Residual
Med
Pos
Mod
Yes
TPP12-03c Risk Management Toolkit for the NSW Public Sector: Volume 2 49
ID
Risk description
Ratings L RISK
Controls/risk treatment
Accept Description (Owner) ?
Review and reporting requirements Effect Report quarterly to the Executive on call receipt statistics
Lack of community understanding about the role of the 000 emergency hotline causes an increase in non-urgent calls, resulting in an increase in emergency call receipt times
V High Pos
Major No
Public education campaign on emergency and nonemergency numbers Regular testing of technology Yes for redirecting calls and updating as required Staff training and development for handling calls
Med
Pos
Mod
Yes
3/12
Insufficient skills and budget to increase levels of skilled staff and retrain staff in new forensic technology division causes a failure to take advantage of improvements in forensic technology, resulting in an increase in challenges over quality of trial evidence, poor judicial outcomes, reduced morale, and the inability to attract and retain incident investigation and forensic evidence staff
Worst case
High
AC
Major No
Resource forensic specialists and provide training to current forensic and investigations staff No in leading-edge technologies (DIR Foren.Inv.Unit) Seek strategic partnerships with high-performing forensics Yes organisations (DIR Foren.Inv.Unit)
Report to the Executive on progress in creating and filling staff specialist roles Report to the Executive on strategic partnerships as they are agreed to
Current
High
Likely Major No
ADG SO
Residual
High
Pos
Mod
Yes
TPP12-03c Risk Management Toolkit for the NSW Public Sector: Volume 2 50
Safer community 2. Reduced rates of crime (1 risk) 3. People feel safe (4 risks) 4. Effective & respected judicial system (1 risk)
NUMBER OF RISKS
6 5 4 3 2 1
Ext Legend
Maj
Mod
Min
Ext
Maj
Mod
Min
Ext
Maj
Mod
Min
Ext
Maj
Mod
Min
Ext
Maj
Mod
Min
RISK LEVEL
Worst Case Current Level
TPP12-03c Risk Management Toolkit for the NSW Public Sector: Volume 2 51
TPP12-03c Risk Management Toolkit for the NSW Public Sector: Volume 2
Risks affecting strategic objectives: comparison of worst case and current risk levels (for risks where only one symbol is shown, the current controls for the risk are non-existent or ineffective)
Risks affecting strategic objectives: comparison of current and residual risk levels (for risks where only one symbol is shown, the risk is acceptable/tolerable at its current level)
C W R 52
Current risk level Worst case risk level Residual risk level
TPP12-03c Risk Management Toolkit for the NSW Public Sector: Volume 2 53
Current status
1. Extreme risks
A3 Ageing and obsolete IT infrastructure causes IT systems to be hacked, resulting in inappropriate use and loss of sensitive information Southlands inability to fill specialist analyst roles causes a new or emerging threat, e.g. cybercrime, to be overlooked, resulting in greater community concern about potential incidents LEGAL/COMPLIANCE REPUTATION AND IMAGE FINANCIAL Extreme Major March 2012 ADG CS Reporting of firewall breaches to ADG CS Month to end March 2012: three attempted breaches, none successful
2.1
Extreme
Major
March 2012
ADG SO
TPP12-03c Risk Management Toolkit for the NSW Public Sector: Volume 2 54
Risk levels Risk ID Risk description Impacts (consequence type) Worst case Current
Risk owner
Monitoring mechanisms
Current status
A6
SERVICE PERFORMANCE
Major
Major
March 2012
ADG CS
Workforce retention statistics for quarter ending March 2012 will be tabled at May 2012 meeting
3.4
Major
Moderate
March 2012
ADG FO
Call receipt statistics for quarter ending March 2012: Calls received: 44,326